Astro is vulnerable to Reflected XSS via the server islands...

7.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

Description

Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.

Basic Information

ID CVE-2025-64764

Source GitHub_M

Published Nov 19, 2025 at 16:41

Modified Nov 19, 2025 at 21:07

Affected Product

Vendor withastro

Product astro

Version < 5.15.8

Affected Versions withastro astro < 5.15.8

CWE Classification

CWE-80

References

{
    "lastseen": "",
    "description": "Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.",
    "published": "2025-11-19T16:41:03.767Z",
    "modified": "2025-11-19T21:07:23.867Z",
    "type": "cve",
    "title": "Astro is vulnerable to Reflected XSS via the server islands feature",
    "source": "GitHub_M",
    "references": "https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723\nhttps://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91",
    "id": "CVE-2025-64764",
    "bulletinFamily": "",
    "cwe": [
        "CWE-80"
    ],
    "cvelist": null,
    "sourceData": "withastro astro < 5.15.8",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "astro",
    "version": "< 5.15.8",
    "vendor": "withastro",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Astro is vulnerable to Reflected XSS via the server islands feature_CVE-2025-64764